You could always specify the sourcing interface as opposed to the source-address, if for example you want to use a standardized configuration across many devices, as in:
term permit_bootp_install { from { interface lo0.0; } protocol udp; destination-port [ 67 68 ]; } } HTHs. Stefan Fouant On Thu, Mar 27, 2008 at 12:33 PM, Ian MacKinnon <[EMAIL PROTECTED]> wrote: > Hi all, > > I am doing some work with PXE-booting of servers and using bootp helpers > to get to the dhcp server. > > All working fine so far. > > However the dhcp response back to the server appears to be coming from > the local interface directly, and our standard firewalling is dropping it. > > I can open the firewall to allow all udp 67/68 packets through,but I > would rather limit it. > > Now I could add the local ip address to the rule, but have have a > standard set of rules we apply to all interfaces, so if there is some > way of specifying allow locally generated packets through that would be > better. > > eg > we have an interface with an ip address like 192.168.0.1/24 > In syslog we see > Mar 27 16:05:41 my-router-01/my-router-01 /kernel: %FIREWALL-6-FW: > .local..0 R udp 192.168.0.1 255.255.255.255 67 68 > > > ie the interface name is .local..0 and the source is 192.168.0.1 > > > Our firewall rule then looks like :- > term permit_bootp_install { > from { > source-address { > 192.168.0.1/32; > } > protocol udp; > destination-port [ 67 68 ]; > } > } > > > But rather than use the source-address what can I use for locally > generated packets? > > Thanks > > > -- > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. Any > offers or quotation of service are subject to formal specification. > Errors and omissions excepted. Please note that any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of Lumison, nplusone or lightershade ltd. > Finally, the recipient should check this email and any attachments for the > presence of viruses. Lumison, nplusone and lightershade ltd accepts no > liability for any damage caused by any virus transmitted by this email. > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp